Chris Frohoff
Chris Frohoff
...instead of stack traces
Support loading plugins that register additional functions from external gems. This should probably include some sort of unique namespacing and short name aliasing for functions.
Document language syntax for things like literals, function calls, pipes, files, etc.
https://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
Docs with common troubleshooting steps. https://afinepl.medium.com/testing-and-exploiting-java-deserialization-in-2021-e762f3e43ca2 https://rhinosecuritylabs.com/research/java-deserializationusing-ysoserial/ Topics: - Encoding issues - JDK version issues - Dependency version mismatch issues - ObjectInputFilter issues - Command tokenization issues - Exceptions on...
Provide CLI parameters to allow override of serialVersionUID on a per-class basis. `java -jar ysoserial.jar -s BeanComparator=-3490850999041592962 ...` Probably fairly easy to implement by extending `ObjectOutputStream` and `ObjectStreamClass`.
Project should be refactored to allow gadgets/chains to be generated (and unit tested) with only exactly the exact required dependencies and versions, even in cases where two different gadgets/chains require...
More complete and cross-platform version of #60 http://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html
For running tests across different JDK versions to generate JDK/gadget support matrix, as well as executing generator/exploit(s). Probably something with Docker. * https://github.com/shyiko/jabba * https://github.com/vulhub/java/tree/master/jdk
Implements #71